Thursday, May 27, 2021

Threat Source newsletter (May 27, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We're used to referring to attackers as either APTs or not APTs. And when something is an APT, it sounds a lot scarier and sexier. But it's our belief that that isn't going to cut it anymore.

Therefore, we propose in a new blog post that there be a new group of threat actors known as "privateers." These groups benefit from a nation-state but can't be directly connected to a government. Find out more about these groups here.

You also don't want to miss this Vulnerability Spotlight post on the Trend Micro Home Network Security Station. These vulnerabilities, which have been patched, could allow an attacker to manipulate this device which manages devices connected to a home network.

Upcoming public engagements with Talos

Date: June 2 at 11 a.m. ET
Overview: Join Cisco Talos for a livestream presentation to discuss malware campaigns targeting collaboration apps like Discord and Slack. Following up on Talos' blog post from earlier this year, the presentation will dive into campaigns we've spotted in the wild and discuss how users can stay safe while using these apps. You can watch along with us, and participate in a live Q&A, live on LinkedIn and the Talos YouTube channel.

Cybersecurity week in review

  • The latest macOS update provided a fix for a recently discovered malware that could take screenshots on victim machines. Attackers developed the malware to bypass certain permissions in a way that could allow them to access the target's microphone, webcam or keystrokes.
  • Apple also released an important update for iOS that fixes several security vulnerabilities. Some of the fixes affect Apple devices dating back to the iPhone 6.
  • Ireland's health care system is still recovering from a recent ransomware attack. But they were handed some unexpected help from the attackers, who reportedly provided them with a key to decrypt their files despite not paying the requested ransom.
  • Several Japanese government agencies are the victims of a recent cyber attack and some information may have been leaked. The attack stems from an attack against a widely used information-sharing software.
  • Researchers at the National Cybersecurity Agency of France discovered a new way to impersonate devices during the Bluetooth pairing process. The recently discovered vulnerabilities build on an attack method discovered last year that exists in core Bluetooth specifications.
  • Millions of Air India users had their information leaked in a data breach earlier this year. Details compromised included passport and ticket information, and some credit card information.
  • Security experts are still dissecting U.S. President Joe Biden's recent Executive Order on cybersecurity, aimed at improving America's infrastructure security. The order places a greater focus on zero trust and the potential implications this has for federal agencies and their contractors.
  • The U.S. Department of Homeland Security is preparing new directives for the oil pipeline industry. There will likely be new rules in place that will require pipelines to disclose security breaches in a timely manner and designate a 24-7 cybersecurity contact with a direct line to the DHS and CISA.

Notable recent security issues

Description: A recently discovered wormable vulnerability in the Windows HTTP protocol stack could also be used to target unpatched Windows 10 and Server systems publicly exposing the Windows Remote Management service. A security researcher released POC code for the vulnerability, patched in this month’s Microsoft security update, last week. The vulnerability only affects WinRM if a user manually enables it on their Windows 10 systems, though enterprise Windows Server endpoints have it toggled on by default. This potentially increases the attack surface for any adversaries that uses the vulnerability to spread a ransomware attack, as they could move quickly across the targeted environment. Microsoft has urged users to update their affected products as soon as possible. 
Snort SIDs: 57605 

Description: Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome. CVE-2021-21160 is a buffer overflow vulnerability in Chrome’s AudioDelay function that could allow an adversary to execute remote code. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted HTML page in Chrome. Proper heap grooming can give the attacker full control of this heap overflow vulnerability, and as a result, could allow it to be turned into arbitrary code execution. 
Snort SIDs: 57057, 57058 

Most prevalent malware files this week

MD5: 29c8ba0d89a9265c270985b02572e693 
Typical Filename: 29C8BA0D89A9265C270985B02572E693.mlw 
Claimed Product: N/A 
Detection Name: W32.7263EC6AFA.smokeloader.in11.Talos  

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 8193b63313019b614d5be721c538486b 
Typical Filename: SAService.exe 
Claimed Product: SAService 
Detection Name: 
MD5: 4dd358e4af31fb9bf83c2078cd874ff4 
Typical Filename: smbscanlocal1805.exe  
Claimed Product: N/A 
Detection Name: Auto.D88B26B369.241855.in07.Talos 

MD5: 34560233e751b7e95f155b6f61e7419a 
Typical Filename: SAntivirusService.exe 
Claimed Product: A n t i v i r u s S e r v i c e 
Detection Name: PUA.Win.Dropper.Segurazo::tpd 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.